76 Popular iOS apps are vulnerable to man-in-the-middle (MITM) attacks

A study conducted on iOS mobile apps revealed that many of them are affected by security vulnerabilities that expose users to man-in-the-middle (MitM) attacks.

A new study confirms that dozens of iOS apps are affected by vulnerabilities that could be exploited by hackers to run man-in-the-middle (MitM) and intercept data from connections even if protected by TLS.

The study was conducted by the developers at verify.ly, a service that analyzes iOS apps searching for security issues. The experts analyzed applications in the Apple App Store and discovered hundreds of security issues that potentially expose mobile users to MITM attacks. All the applications have been tested on iPhone mobile devices running iOS 10 version and confirmed that 76 had been vulnerable.

The impact is serious if we consider that the affected applications account for more than 18 million downloads. The vulnerability is considered high risk in the case of 19 of the 76 applications. The applications expose sensitive data, including financial or medical service credentials or session authentication tokens.

“During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion.” reads the blog post published by the researchers.

“According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability.”

Examining the key findings of the report we can see that:

the medium-risk category includes 24 iOS apps that expose login credentials and session authentication tokens.
the low-risk category includes 33 iOS apps that are affected by flaws that could be exploited by attackers to intercept only partially sensitive information such as email addresses and login credentials.

“This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” continues the post. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”

The security issues discovered by the experts are the result of the lax of adoption of secure coding techniques. Waiting for a fix, the users of the affected iOS apps need to avoid using them on Wi-Fi networks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – iOS apps, MITM)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.